Privacy Spheres: User, Joint & Recipient

Although information security and privacy are of particular importance in technological design, critics point out that many systems engineers have yet to recognize its significance. According to Saadi Lahlou’s study on privacy and trust issues, engineers tend to view privacy issues as “an abstract problem, not an immediate problem, not a problem at all (firewalls and cryptography would take care of it), not their problem (one for politicians, lawmakers, or society), or simply not part of the project deliverables.”


A holistic view of the privacy field conceptualizes privacy approaches along a spectrum of system design possibilities. While a number of researchers have proposed system design frameworks, Sarah Spiekermann and Lorie Faith Cranor have developed a framework in their paper, “Engineering Privacy,” which conceptualizes privacy engineering within a systematic structure.


Responsibilities of the Engineer

Typically, engineers have two key privacy responsibilities:

  1. Allowing end users to exercise immediate control over access to personal data about themselves.
  2. Minimizing future privacy risks by protecting data after it is no longer under a user’s direct control.

Engineers must fulfill these responsibilities in three distinct technical spaces: the user sphere, the recipient sphere and the joint sphere. These “spheres” or domains are described in greater detail in the following sections of this article.

User Sphere

This is understood as the user’s device. A privacy-friendly perspective argues that user devices should be controllable by the people who won them. This means that data should not be able to flow in/out of the devices unless the owners are able to intervene. Physical privacy should also be respected, meaning that the devices should interrupt the owners only when necessary and at appropriate times.


When considering the user sphere, engineers need to consider the following issues:

-          What types of data is being transferred from the client to a data recipient?

-          Are users explicitly involved in data transfers?

-          Are users aware of remote/local application storing data on their systems?

-          Is data storage classified as transient or persistent?


In the user sphere, data is stored on users’ desktop computers, laptops, mobile phones and RFID chips.


Within the user sphere, user privacy concerns include:

-          Unauthorized collection of data

-          Unauthorized execution

-          Exposure

-          Unwanted inflow of data


Recipient Sphere

The recipient sphere involves backend infrastructure and data sharing networks. It can be considered a company-centric sphere of data control. While information in this sphere is less open to public criticism, engineers must be aware of potential privacy breaches, for instance, due to data leakage, uncontrolled access/sharing, or undocumented access/sharing.


When considering the recipient sphere, engineers need to consider the following issues:

-          What types of data is being shared by the data recipient with other parties?

-          Can users expect transfers of their data by the recipient?

-          How can users be certain that their personal data is adequately secured?

-          Is data storage classified as transient or persistent?

-          Can users anticipate the processing of their personal data?

-          Will there be secondary uses of the data? Will users be clear on such uses?

-          How can processing be minimized?


In the recipient sphere, data is stored with any data recipients and data bases of network providers; service providers; and other parties with whom data may be shared.


Within the recipient sphere, user privacy concerns include:

-          ­Internal unauthorized use

-          External unauthorized use

-          Improper access

-          Errors

-          Reduced judgement

-          Combining data

Joint Sphere

The joint sphere includes companies that host data and provide additional services. While such services are under the full control of the companies that provide them, users may believe they have privacy when they use such services. For instance, many websites will provide a free email service to their users. Users may expect to have privacy while using the email services and may believe that the company is protecting their privacy. This, however, is not the case. Many companies engage in mining user accounts for advertising purposes.

These personal service environments require stringent privacy design to ensure that users and providers are on the same page in terms of the degree of access that is allowed to personal information. Engineers should also be mindful of the proper security mechanisms to minimize the risk of personal data abuse.

When considering the joint sphere, engineers need to consider the following issues:

-          Are users fully aware of how their data is being used?

-          Can users control how their data is being used?

In the joint sphere, data is stored on the servers and databases of web service providers.

Within the joint sphere, user privacy concerns include:

-          Exposure

-          Reduced judgement

-          Improper access

-          Unauthorized secondary use


This article explores the three privacy spheres: the user sphere, joint sphere and recipient sphere. The notion of three privacy spheres was developed by Cranor and Spiekermann, in their article “Engineering Privacy.” These are three distinct domains in which systems engineers must consider design implications on privacy. Across all three spheres, engineers have the obligation to give users control over their personal information as well as minimize users’ future privacy risks. Using the concept of the three spheres can help engineers approach privacy protection in a more holistic manner.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy Responsibility Framework – User Sphere, Recipient Sphere, Joint Sphere (I.A.c.i. – I.A.c.iii.)



Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>